c820bebaccaba0437b98a73187f7bd891e6aaf41e20158981b663c2af081bf8b

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Size

380KB
MD5

9f941e42c1e3b078e1cbe92d24fa039c
SHA1

71c65435d724937a130e1888a6b949c9744e5c5b
SHA256

c820bebaccaba0437b98a73187f7bd891e6aaf41e20158981b663c2af081bf8b
SHA512

00cec308d452a7aa94bc3e92fa4c5f1cba9334ad49118e012acdb8422e2ff9e47f75a90ce8e7d39c236b931a2c28729e23afb4cb122f951349e4fba4c3c14c8a
SSDEEP

3072:mEGh0oSlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGkl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}\stubpath = "C:\\Windows\\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe"	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}\stubpath = "C:\\Windows\\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe"	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}\stubpath = "C:\\Windows\\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe"	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DDBECD-AA1C-4234-855C-9F84E468D431}	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}\stubpath = "C:\\Windows\\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe"	{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}\stubpath = "C:\\Windows\\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe"	{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}	{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}\stubpath = "C:\\Windows\\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe"	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DDBECD-AA1C-4234-855C-9F84E468D431}\stubpath = "C:\\Windows\\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe"	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}	{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}\stubpath = "C:\\Windows\\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe"	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}	{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}\stubpath = "C:\\Windows\\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe"	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}\stubpath = "C:\\Windows\\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe"	{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}\stubpath = "C:\\Windows\\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe"	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
2476	{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
2844	{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
612	{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
1900	{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
File created	C:\Windows\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
File created	C:\Windows\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe	{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
File created	C:\Windows\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
File created	C:\Windows\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
File created	C:\Windows\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
File created	C:\Windows\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe	{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
File created	C:\Windows\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe	{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
File created	C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
File created	C:\Windows\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
File created	C:\Windows\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
Token: SeIncBasePriorityPrivilege	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
Token: SeIncBasePriorityPrivilege	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
Token: SeIncBasePriorityPrivilege	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
Token: SeIncBasePriorityPrivilege	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
Token: SeIncBasePriorityPrivilege	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
Token: SeIncBasePriorityPrivilege	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
Token: SeIncBasePriorityPrivilege	2476	{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
Token: SeIncBasePriorityPrivilege	2844	{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
Token: SeIncBasePriorityPrivilege	612	{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2068	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	30
PID 2056 wrote to memory of 2068	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	30
PID 2056 wrote to memory of 2068	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	30
PID 2056 wrote to memory of 2068	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	30
PID 2056 wrote to memory of 2956	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	31
PID 2056 wrote to memory of 2956	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	31
PID 2056 wrote to memory of 2956	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	31
PID 2056 wrote to memory of 2956	2056	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	31
PID 2068 wrote to memory of 2728	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	32
PID 2068 wrote to memory of 2728	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	32
PID 2068 wrote to memory of 2728	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	32
PID 2068 wrote to memory of 2728	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	32
PID 2068 wrote to memory of 2264	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	33
PID 2068 wrote to memory of 2264	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	33
PID 2068 wrote to memory of 2264	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	33
PID 2068 wrote to memory of 2264	2068	{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe	33
PID 2728 wrote to memory of 2540	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	34
PID 2728 wrote to memory of 2540	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	34
PID 2728 wrote to memory of 2540	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	34
PID 2728 wrote to memory of 2540	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	34
PID 2728 wrote to memory of 2620	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	35
PID 2728 wrote to memory of 2620	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	35
PID 2728 wrote to memory of 2620	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	35
PID 2728 wrote to memory of 2620	2728	{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe	35
PID 2540 wrote to memory of 2604	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	36
PID 2540 wrote to memory of 2604	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	36
PID 2540 wrote to memory of 2604	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	36
PID 2540 wrote to memory of 2604	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	36
PID 2540 wrote to memory of 2516	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	37
PID 2540 wrote to memory of 2516	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	37
PID 2540 wrote to memory of 2516	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	37
PID 2540 wrote to memory of 2516	2540	{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe	37
PID 2604 wrote to memory of 2656	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	38
PID 2604 wrote to memory of 2656	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	38
PID 2604 wrote to memory of 2656	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	38
PID 2604 wrote to memory of 2656	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	38
PID 2604 wrote to memory of 2760	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	39
PID 2604 wrote to memory of 2760	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	39
PID 2604 wrote to memory of 2760	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	39
PID 2604 wrote to memory of 2760	2604	{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe	39
PID 2656 wrote to memory of 2448	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	40
PID 2656 wrote to memory of 2448	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	40
PID 2656 wrote to memory of 2448	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	40
PID 2656 wrote to memory of 2448	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	40
PID 2656 wrote to memory of 2856	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	41
PID 2656 wrote to memory of 2856	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	41
PID 2656 wrote to memory of 2856	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	41
PID 2656 wrote to memory of 2856	2656	{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe	41
PID 2448 wrote to memory of 580	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	42
PID 2448 wrote to memory of 580	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	42
PID 2448 wrote to memory of 580	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	42
PID 2448 wrote to memory of 580	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	42
PID 2448 wrote to memory of 2408	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	43
PID 2448 wrote to memory of 2408	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	43
PID 2448 wrote to memory of 2408	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	43
PID 2448 wrote to memory of 2408	2448	{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe	43
PID 580 wrote to memory of 2476	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	44
PID 580 wrote to memory of 2476	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	44
PID 580 wrote to memory of 2476	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	44
PID 580 wrote to memory of 2476	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	44
PID 580 wrote to memory of 2840	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	45
PID 580 wrote to memory of 2840	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	45
PID 580 wrote to memory of 2840	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	45
PID 580 wrote to memory of 2840	580	{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe	45

C:\Users\Admin\AppData\Local\Temp\9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
  C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
    C:\Windows\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
      C:\Windows\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
        
        C:\Windows\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
        
        C:\Windows\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
        
        C:\Windows\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
        
        C:\Windows\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
        
        C:\Windows\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
        
        C:\Windows\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
        
        C:\Windows\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe
        
        C:\Windows\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE2F~1.EXE > nul
        12⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AA91~1.EXE > nul
        11⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0550~1.EXE > nul
        10⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02DDB~1.EXE > nul
        9⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36799~1.EXE > nul
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE0AB~1.EXE > nul
        7⤵
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CCFC~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E988~1.EXE > nul
        5⤵
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C4A7~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06BEE~1.EXE > nul
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9F941E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe

Filesize
380KB

MD5
cc9c25311a0fc16de3149a6af8bd2045

SHA1
46a1a01cfb9ab0686e45d4b9afcf82644ed46380

SHA256
92e0160537fcbd63091458240064cc7866809beee1142e22d6af59103c757387

SHA512
3f1d7f3ec68dc314b99e1efb28930d89a1fbfc3b52d0ae4286c7e12e5afb87c6f956872c0a99fdb58cf67b76429bdf3fb904b7de6679ca4004bbb59e358d99cb

Download Submit
C:\Windows\{02DDBECD-AA1C-4234-855C-9F84E468D431}.exe

Filesize
380KB

MD5
cc9c25311a0fc16de3149a6af8bd2045

SHA1
46a1a01cfb9ab0686e45d4b9afcf82644ed46380

SHA256
92e0160537fcbd63091458240064cc7866809beee1142e22d6af59103c757387

SHA512
3f1d7f3ec68dc314b99e1efb28930d89a1fbfc3b52d0ae4286c7e12e5afb87c6f956872c0a99fdb58cf67b76429bdf3fb904b7de6679ca4004bbb59e358d99cb

Download Submit
C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe

Filesize
380KB

MD5
1c265944a59c2e7ea88e5eb251d11ec2

SHA1
e45bc381f814ee5fd854646f6cd19e09519f67c1

SHA256
9b7bf4f5ac81ea99ad048ac7940b9aa91bd6a9ff1f633e61b8df24097d10f05e

SHA512
cad75a0b410b57beff38898e9a1100cb840ab193049162700f44ec3c305819375ac094f590ef498f9c2b7fded0978f96805ca31b9026c1343f3533c71824f6f2

Download Submit
C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe

Filesize
380KB

MD5
1c265944a59c2e7ea88e5eb251d11ec2

SHA1
e45bc381f814ee5fd854646f6cd19e09519f67c1

SHA256
9b7bf4f5ac81ea99ad048ac7940b9aa91bd6a9ff1f633e61b8df24097d10f05e

SHA512
cad75a0b410b57beff38898e9a1100cb840ab193049162700f44ec3c305819375ac094f590ef498f9c2b7fded0978f96805ca31b9026c1343f3533c71824f6f2

Download Submit
C:\Windows\{06BEE6CE-EC61-462c-BCED-4B220FFAD186}.exe

Filesize
380KB

MD5
1c265944a59c2e7ea88e5eb251d11ec2

SHA1
e45bc381f814ee5fd854646f6cd19e09519f67c1

SHA256
9b7bf4f5ac81ea99ad048ac7940b9aa91bd6a9ff1f633e61b8df24097d10f05e

SHA512
cad75a0b410b57beff38898e9a1100cb840ab193049162700f44ec3c305819375ac094f590ef498f9c2b7fded0978f96805ca31b9026c1343f3533c71824f6f2

Download Submit
C:\Windows\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe

Filesize
380KB

MD5
320252ee54096c80ac210341cc9131ee

SHA1
e85055cde7c0ceb1722d60f45b6390797cf233bd

SHA256
d83987a3e3f9a2eb8c3b5a56a1f45f101f4a388522a26765940940bc5f56a555

SHA512
c2b7e3d3360635742ecbbcad9066b0d232f3a2e0c5fcf0c3b9a034e9b6992f3d229a0bafaf27cbbe4d85871fb10a8d725afcf0946f5d81401e0471c442289d2b

Download Submit
C:\Windows\{1E988E47-AB2C-4f1a-9D30-6751FA04E8BB}.exe

Filesize
380KB

MD5
320252ee54096c80ac210341cc9131ee

SHA1
e85055cde7c0ceb1722d60f45b6390797cf233bd

SHA256
d83987a3e3f9a2eb8c3b5a56a1f45f101f4a388522a26765940940bc5f56a555

SHA512
c2b7e3d3360635742ecbbcad9066b0d232f3a2e0c5fcf0c3b9a034e9b6992f3d229a0bafaf27cbbe4d85871fb10a8d725afcf0946f5d81401e0471c442289d2b

Download Submit
C:\Windows\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe

Filesize
380KB

MD5
f4752eb9fbdd924b87ad00c1dbd92b80

SHA1
396b2fbef1e89bab0c8c55e1560b93281ae70f11

SHA256
8ec4266e87378920f224af93f5e469fddd075a76ba32c464d0484e68f9df23a4

SHA512
acb5624765752f2e94d5bd18c903635160a13b0ebb3f265b0cfdd3b0abb7743de910de52512e0e642f240d66166fbd360eaea87abb21626e3066fcfe3345228b

Download Submit
C:\Windows\{36799A12-C51C-4bec-877A-9E69EE5F5FD3}.exe

Filesize
380KB

MD5
f4752eb9fbdd924b87ad00c1dbd92b80

SHA1
396b2fbef1e89bab0c8c55e1560b93281ae70f11

SHA256
8ec4266e87378920f224af93f5e469fddd075a76ba32c464d0484e68f9df23a4

SHA512
acb5624765752f2e94d5bd18c903635160a13b0ebb3f265b0cfdd3b0abb7743de910de52512e0e642f240d66166fbd360eaea87abb21626e3066fcfe3345228b

Download Submit
C:\Windows\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe

Filesize
380KB

MD5
c35303587216b730f8092cd27d1198d6

SHA1
9b3f180ae128fec979c31c018ded2b986b63f15b

SHA256
a69ed0e75803991b7dde05d39af4b46c9e8301c97c34ea833e51f76214b1dca6

SHA512
e80c6f886838ae432ff67c42dc2889a327389c1103817e5aea2eb98e0db8e328f83bded87229de1456e7c2d8793bc8115a179d01e2506406cf489b44dbe783b9

Download Submit
C:\Windows\{4AA91DF2-6178-4211-8620-E3B26AC60CEF}.exe

Filesize
380KB

MD5
c35303587216b730f8092cd27d1198d6

SHA1
9b3f180ae128fec979c31c018ded2b986b63f15b

SHA256
a69ed0e75803991b7dde05d39af4b46c9e8301c97c34ea833e51f76214b1dca6

SHA512
e80c6f886838ae432ff67c42dc2889a327389c1103817e5aea2eb98e0db8e328f83bded87229de1456e7c2d8793bc8115a179d01e2506406cf489b44dbe783b9

Download Submit
C:\Windows\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe

Filesize
380KB

MD5
2a5a7bf460af361f88f8710945fd91a3

SHA1
5d8437ecf7bb9e17d1f15c76483863188c919b28

SHA256
13d02f6aa101ca7a122029a9ee622ac46d2d9f2fec68bbc7374daf9280e97a74

SHA512
94d562142c0d16c8d5536c6a9c05fce9b71b3f0e0dfa59e637bea819ada54ac70c6c15035f4fc0c2643ede35e53c57fb53cefe5546759899df62c5967064e804

Download Submit
C:\Windows\{5CCFC3AB-9BC4-4362-B870-E70882E5C301}.exe

Filesize
380KB

MD5
2a5a7bf460af361f88f8710945fd91a3

SHA1
5d8437ecf7bb9e17d1f15c76483863188c919b28

SHA256
13d02f6aa101ca7a122029a9ee622ac46d2d9f2fec68bbc7374daf9280e97a74

SHA512
94d562142c0d16c8d5536c6a9c05fce9b71b3f0e0dfa59e637bea819ada54ac70c6c15035f4fc0c2643ede35e53c57fb53cefe5546759899df62c5967064e804

Download Submit
C:\Windows\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe

Filesize
380KB

MD5
a517e957b5ed39844e268df41bebb5e4

SHA1
38d86eaf9982a77e9a5338f8539a10b5a9b79ea6

SHA256
9b679695c9fef6233725c4489f5884a8ccdba19b2b25464b5bf4b0914b58b8a7

SHA512
acd63e285b9a2872b37309d4577a565c0758a55af7806b0bb957909e01e1ded2d5c3e6412487a5de8443647a7ff3677720aff00c16b6b9531a03734d119f0d28

Download Submit
C:\Windows\{6C4A7C1D-9CDF-445b-B734-5793FB9997F3}.exe

Filesize
380KB

MD5
a517e957b5ed39844e268df41bebb5e4

SHA1
38d86eaf9982a77e9a5338f8539a10b5a9b79ea6

SHA256
9b679695c9fef6233725c4489f5884a8ccdba19b2b25464b5bf4b0914b58b8a7

SHA512
acd63e285b9a2872b37309d4577a565c0758a55af7806b0bb957909e01e1ded2d5c3e6412487a5de8443647a7ff3677720aff00c16b6b9531a03734d119f0d28

Download Submit
C:\Windows\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe

Filesize
380KB

MD5
a50d798f4caf4bd14ece78315fc9ac17

SHA1
64962a683e683b2a16174a5ee1f5266a84789aa8

SHA256
f763d7813cc6f72228a265fe9ab075d3bd032dc5b98a6812765fbc418fbb3815

SHA512
c3cab6b3fcaecda76383c31d6989f65fb5cfcca8e90df72b3fbcccd9ff29c57f0a59993ba5d00ccbf0c028eda8da19352dd16fa0b8e458ae482fba2a0f80f1da

Download Submit
C:\Windows\{BE0ABC48-9155-40c8-84C8-AE37B9CA9A59}.exe

Filesize
380KB

MD5
a50d798f4caf4bd14ece78315fc9ac17

SHA1
64962a683e683b2a16174a5ee1f5266a84789aa8

SHA256
f763d7813cc6f72228a265fe9ab075d3bd032dc5b98a6812765fbc418fbb3815

SHA512
c3cab6b3fcaecda76383c31d6989f65fb5cfcca8e90df72b3fbcccd9ff29c57f0a59993ba5d00ccbf0c028eda8da19352dd16fa0b8e458ae482fba2a0f80f1da

Download Submit
C:\Windows\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe

Filesize
380KB

MD5
45dacd2c74fc1e52f14bf28a4d6785c1

SHA1
1ee1cbfe2828c7750b53989236e0164b8b2e0a8f

SHA256
a871c1b325ea003e63fc7cfcfcaac0b97562a5bdb13ac1226de97c208bab1297

SHA512
ea88ebf404edfa75f4a0fc0b3af3a3a599cbe31119937dfd15ed7aceef915cc41004074f363771a48e0bb3922da08251334b37780fafb40300579dfe908dae1f

Download Submit
C:\Windows\{D0550B1E-7B6B-4e48-8714-B2FE46BD6EBE}.exe

Filesize
380KB

MD5
45dacd2c74fc1e52f14bf28a4d6785c1

SHA1
1ee1cbfe2828c7750b53989236e0164b8b2e0a8f

SHA256
a871c1b325ea003e63fc7cfcfcaac0b97562a5bdb13ac1226de97c208bab1297

SHA512
ea88ebf404edfa75f4a0fc0b3af3a3a599cbe31119937dfd15ed7aceef915cc41004074f363771a48e0bb3922da08251334b37780fafb40300579dfe908dae1f

Download Submit
C:\Windows\{E0C2961F-DC82-4818-A73D-5CC55CB88E0F}.exe

Filesize
380KB

MD5
fdd1c59eb2f5ccba24d439cdf3b16812

SHA1
546eca1f8d677d03c4498f6f5d0e12967eea8cf0

SHA256
476bacf0545331faa0dd92d86285bb4cf1b5c03739d74c6484d81cf0d6326d75

SHA512
8e73db31a91a82dfbc24020d6dab497fd4e587937a06f686be2410d6aeaadd531f5a850f925fc016c37286cadca4f4febee6512e638af9fb85e33e864400db3c

Download Submit
C:\Windows\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe

Filesize
380KB

MD5
c3e26cf2ee1ee0bc424cb1fecae5f466

SHA1
63486546ea564a2a60e8975bd236a60f5de95c10

SHA256
a101fe445ec13fb85ba31136e2135b0dbdc6c3806da4f979c302ea689424dfba

SHA512
f9fa409be8cede6d8f9e1e117ffdf7edb0211b58de74e9f9be391159bd74784e818feaad038569e4a2927d836208fcde58a77e6d91283ce5cc75de41bca82701

Download Submit
C:\Windows\{FEE2FA89-ADB9-4ec2-B47A-7476A8B93966}.exe

Filesize
380KB

MD5
c3e26cf2ee1ee0bc424cb1fecae5f466

SHA1
63486546ea564a2a60e8975bd236a60f5de95c10

SHA256
a101fe445ec13fb85ba31136e2135b0dbdc6c3806da4f979c302ea689424dfba

SHA512
f9fa409be8cede6d8f9e1e117ffdf7edb0211b58de74e9f9be391159bd74784e818feaad038569e4a2927d836208fcde58a77e6d91283ce5cc75de41bca82701

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads